"I pay, therefore I am" - Twitter paywalls features to "address bots"

[HenrySalayne]

47 minutes ago, leadeater said:

Economic and social classes exist in physical life. If it happens naturally there whether people like or agree with it, or not, then it's most likely going to happen online/virtual life.

What could be a better way to illustrate the problems of modern society than taking away the voice of the poor?

[mr moose]

1 minute ago, HenrySalayne said:

What could be a better way to illustrate the problems of modern society than taking away the voice of the poor?

Poor people have bigger problems than twitter,  In fact I would argue that twitter and facebook have never done anything good for poor people.  Give them the perception of being a part of something? not when the rich people keep posting pictures of their "VACAY". Giving them the illusion of a voice? not when that voice is so muddied with poor information that they actually do themselves a disservice. Making them feel like they are as well informed as you? Everyone thinks they know better,  twitter doesn't and has never helped that in any way shape or form.  In fact  I highly doubt anyone is better off for having twitter or facebook before or after musk.

 

 

[venomtail]

I'm all for this late stage collapse of established social media networks. TikTok will survive without even feeling it, might hurt a little to see Instagram go.

[Kisai]

5 hours ago, RedRound2 said:

Slowly changing Twitter into the 'platform for the privileged (& rich bots)'.

 

And somehow this fits into his idea of addressing inequality, smh. 

 

If he really wanted to tackle bot problem, you can ask users to provide some form of KYC - like a phone number or government ID. I know not everyone will be a fan of this move, but this would actually go about solving the problem equally for everyone instead of segregating the crowd based on who has disposable income to spend on such a unnecessary first world luxury status of Twitter Blue

That doesn't actually solve the problem correctly. It works marginally well on youtube (eg you can only verify one account per phone number per year, or so.) Disposable phone numbers are a thing.

 

Like it would be less of a big deal if you only had to pay for "blue" once. But this is clearly a cash grab, and it will backfire. First he wrecked the "for you" tab by removing the chronological order, and then most people just switched to their "following" tab, and have been ignoring the "For you" tab entirely.

 

Strike 1: removing the chronological feed.

Strike 2: making the site pay-only

 

Yeah, people will just go off to any number of wannabe-competition. Like Tiktok, Like Youtube. We gave Google hell for trying to be facebook with Google+, but, now I kinda want them to come back and eat Twitter's lunch.

 

 

The way you properly verify a user is three fold, and nobody will want to do it:

1: You enter your REAL address somewhere. They mail you a verification code. Or hell, a USB drive authenticator.

2: You enter that verification code on the site when you get it, or plug in the authenticator

3: The site signs your computer, physical location with your account.

 

Now any time you are at that computer, you punch in that verification code or USB authenticator and you are logged in. If you change locations, the code no longer works. The USB authenticator also won't work if your ISP changes.

 

See how annoying that is?

 

And how about burner mail boxes? Well so sorry, but if your mailbox is in WA and you are logging in from FL, it won't work either. That's the point of signing the computer, "you told us you were in WA, so this code will check that you are in WA"

 

Basically, "verification" has always been one of those things where you can never impose it without catastrophically destroying the service. Either have to deal with the bots and have no obstacles to signing up, or you need obstacles that ensure that there is a real person at the other end, like biometrics, GPS coordinates, or just something plugged into that home network that goes "Yep, they're home"

 

Like this is not a unique problem for social media, it's also a problem for MMO games. If there's anything I trust less than social media, it's dimwitted video game server operators.

 

So. What's the true way to ensure that bots are not able to impersonate people? Well, there's Yubikey. Like the solution I mention in the middle of this post, you require that there is a physical device plugged in, and you can only access accounts "authenticated" by that device. Move the computer, and you have to re-sign the computer at the new address.

 

Simply having the physical device is not enough to login. It has to be from a whitelisted ISP/Location. If you're travelling on a mobile device, then you need to specify what device is your mobile phone, and the session on THIS device will be allowed to move, but not be permitted to change passwords or account information. Only login and post/play.

 

[Forbidden Wafer]

7 hours ago, HenrySalayne said:

My thoughts

How do other platforms manage to fight bots? Is a captcha no longer a viable option? Looking popular features behind a paywall will not make Twitter more attractive or profitable. This could just accelerate the demise of Twitter.

A bunch of algorithms, but they fail a lot and quite spectacularly.

Manual flagging is impossible when there are millions of accounts being created every day.

Captcha can be bypassed with modern AI.

 

Problem is all roots of trust are in fact insecure.

• Document? Probably leaked from a bank or government agency. 
• Phone? Can be cloned, stolen, intercepted by a fake base station.
• Voice? Can be reproduced by new AI with a few seconds of recording (do you get calls that don't say anything and turn off in a few seconds? that's what they are doing)
• Photo? Can be stolen.
• Payment? Can be cloned or stolen.

The difference is that you can call your bank and say you didn't authorize that payment and they will investigate it. Probably getting the police after the culprit.

[05032-Mendicant-Bias]

  

7 hours ago, CheeseOnion said:

He bought it for 40 billion, and yesterday (or the day before) he said Twitter was worth only 20 billion

Well, Musk is paying a billion a year in intrest alone for buying Twitter, and Twitter is never going to make a billion in profit at all. It doesn't really matter what Musk does or does not do, he can't really push twitter to a point where it can service that debt. Buying a news outlet is an hobby for multi billionares, e.g. Bezof was a lot smarter about this.

Weirdly enough, two of his companies are progressive, and Elon bought a company, planning to basically rebuild it from the ground up and loudly turn conservative. I'm not sure how Elon's thought this would go or why he thought this was a good idea. Elon could have taken all the benefits of being in the board of director of Twitter, influencing its development, with none of the cost and passed it over.

 

In my opinion, Musk should just flex his wealth, clear all debt, and use twitter as his own personal megaphone or to further his agenda and post memes.

 

30 minutes ago, Forbidden Wafer said:

Problem is all roots of trust are in fact insecure.

If you make it expensive to create bots, there are going to be a lot fewer bots. People that make bots do it to make money, not to troll Elon.
 

I'm somewhat surprised Musk isn't able to fix the bot problem, the recipe to fix it is know. This video from a creator I follow made a video in which they create a twitter bot and expose a tiny sliver of the Twitter botnet. They claim that they couldn't do the same on Facebook because on facebook there are mandatory checks for government issued IDs. So yes, Facebook does more KYC than twitter or crypto exchanges.

  

4 hours ago, mr moose said:

In fact I would argue that twitter and facebook have never done anything good for poor people. 

Exposing poor people to a scammer who fake a good life, and can sell you the recipe that will make poor people definitely not even poorer for it. Andrew Tate style.

[HenrySalayne]

36 minutes ago, Forbidden Wafer said:

A bunch of algorithms, but they fail a lot and quite spectacularly.

Manual flagging is impossible when there are millions of accounts being created every day.

Captcha can be bypassed with modern AI.

 

Problem is all roots of trust are in fact insecure.

• Document? Probably leaked from a bank or government agency. 
• Phone? Can be cloned, stolen, intercepted by a fake base station.
• Voice? Can be reproduced by new AI with a few seconds of recording (do you get calls that don't say anything and turn off in a few seconds? that's what they are doing)
• Photo? Can be stolen.
• Payment? Can be cloned or stolen.

The difference is that you can call your bank and say you didn't authorize that payment and they will investigate it. Probably getting the police after the culprit.

I'm sure bots can still be broken by captchas and identified by heuristic methods - at least in large numbers. We should not forget that Twitter removed free access to the API to "address bots". Without API access it already is a lot harder to make bots work and not break with every tiny update.

Verification is a permanent status. It doesn't make sense to ask for a subscription, it could easily be a one-off fee.

 

[HenrySalayne]

New users are not eligible to subscribe to Twitter Blue  receive a blue checkmark. So I'm curious if "verified" means blue checkmark (as it should be).

 

 

[wanderingfool2]

7 minutes ago, HenrySalayne said:

I'm sure bots can still be broken by captchas and identified by heuristic methods - at least in large numbers. We should not forget that Twitter removed free access to the API to "address bots". Without API access it already is a lot harder to make bots work and not break with every tiny update.

Verification is a permanent status. It doesn't make sense to ask for a subscription, it could easily be a one-off fee.

 

Captcha's are only trivially effective in preventing bots and present more pain to the end users.  Heuristics have a tendency to also encompass a lot of regular users as well.

 

Then there's the added cost, Google charges $1 per 1000 api calls.  So for every 1 million attempted sign ups you would pay $1000, at 2 mill new users a day (most of which are inactive), you effectively are paying $730k per year.  That assumes as well its just the initial sign up (and that bots don't attempt it over and over again).

 

Then you factor in that it only costs $1 per 1000 to solve (where it's a mix of human and AI solving), if you rely on just AI it's cheaper.  At a certain point when user mass hits a certain level captchas become relatively unimportant.

 

Heuristics also won't necessarily work, you can hire a human to run a lot of the bot scams (or have VM's that emulate acting human in their mouse movements).  It's been a thing for quite some time in the dark web.

[Quackers101]

like they cant do bots for paid either, as some bots are. its stupid enforcement of elon trying to convice its more than to benefit "himself".

dont see how some people goes along with it, thinking it will improve. soon you cant even like or engage without paying.

[Forbidden Wafer]

36 minutes ago, HenrySalayne said:

I'm sure bots can still be broken by captchas and identified by heuristic methods - at least in large numbers. We should not forget that Twitter removed free access to the API to "address bots". Without API access it already is a lot harder to make bots work and not break with every tiny update.

 

Verification is a permanent status. It doesn't make sense to ask for a subscription, it could easily be a one-off fee.

37 minutes ago, HenrySalayne said:

Verification is a permanent status. It doesn't make sense to ask for a subscription, it could easily be a one-off fee.

The act of verifying, yes.

 

But since they don't actually check anything other than if a payment was received, then no.

I would have modeled it after Monte Carlo.

People that pay it once has a certain chance of being legit (e.g. modeling it with with a coin flip, 50%).

People that pay it twice have 50% more certainty of being legit rather than those that pay it once.

We can put that into a formula: 1-(0.5^k). And solving it for k=12 (1 year), we have 99.95% certainty it isn't a bot.

If it works for US greencard evaluation/assessment/whatever they call it, works for verification in a social network.

[cmndr]

A lot of the negative Musk/Twitter sentiment comes from people who had a very particular view point that they wanted privileged and propagated. And they were fine when Russian or Chinese bots upvoted the most extreme of views. Views that were mainline just 5-10 years ago are now being screamed at as bigoted by people who previously would've themselves been seen as morally questionable at best based on the content of their character. 

I've never really "gotten" twitter but as an outsider, my main critiques of Musk so far is that he's just acted too quickly. These are generally the right steps. 

[Kisai]

36 minutes ago, cmndr said:

I've never really "gotten" twitter but as an outsider, my main critiques of Musk so far is that he's just acted too quickly. These are generally the right steps. 

Twitter has always been a micro-news/micro-blog. The original 140 character limit was so the tweets fit in SMS messages.

 

The logic being, you'd subscribe to things like CNN or New York Times and get updates in real time.

 

That has also never been case. Sure you could do that, but most people use it to follow celebrities/interact with their fans that are on it, or maintain business contacts. Doing anything else (eg harassment, fake engagement, etc) just wastes peoples time.

 

Like of all the celebrities' I actually care about, they've long since stopped using twitter to promote their own stuff and just post dunks on right-wing idiot balls.

 

If there was ever a piece of truth that has to be said, it's that the only way you keep from being canceled, is by equally dunking on everyone, in a space you control. Twitter is not a space you control. The South Park creators have been waiting to be canceled for decades, and haven't. Do you think they care what people say about SP or them personally online? No.

 

But a lot more people are narcissist's by nature, and just can not stand being wrong, or being told they are a bad person because they believe something insane. Mix that with parasocial idiots who believe they have power over celebrities, and also the sociopaths who get a thrill over trolling people online until they kill themselves, and you see why the algorithms on social media are regularly pouring gas on sparks.

 

Like it's been observed over the last two months, twitter's "algorithm" has been pushing things out to exactly the wrong audiences (such as the drama over the Harry Potter game.) 

 

So will twitter still be around in 2 years? Probably not. It will be dead like Tumblr and Myspace. Learn from the mistakes of the past, or you are doomed to repeat them.

 

[ravenshrike]

10 hours ago, PcBeExpensive said:

saw this today. It's bullshit, its so obviously for the money. Even the for you page will be removed unless you have the blue tick, what the hell. I used to like Elon and think he was smart, I was wrong. Next thing you will need to pay to get a twitter account.

Of course it's for the money. There are two revenue sources possible, users and advertisers. Advertising revenue is in the dumps and will remain so until Twitter can show that the bot count is down to reasonable levels which the paywall will manifestly do, and they'll only get money from users if the users want access to a feature. 

9 hours ago, Needfuldoer said:

Surely this has nothing to do with it.

 

Ain't nobody remotely qualified that would want to touch twitter with a ten foot poll and be subject to Elon's mandates keeping it a relatively free(post topic wise) platform that isn't a government agent plant.

[RedRound2]

15 hours ago, Kisai said:

That doesn't actually solve the problem correctly. It works marginally well on youtube (eg you can only verify one account per phone number per year, or so.) Disposable phone numbers are a thing.

 

Like it would be less of a big deal if you only had to pay for "blue" once. But this is clearly a cash grab, and it will backfire. First he wrecked the "for you" tab by removing the chronological order, and then most people just switched to their "following" tab, and have been ignoring the "For you" tab entirely.

 

Strike 1: removing the chronological feed.

Strike 2: making the site pay-only

 

Yeah, people will just go off to any number of wannabe-competition. Like Tiktok, Like Youtube. We gave Google hell for trying to be facebook with Google+, but, now I kinda want them to come back and eat Twitter's lunch.

 

 

The way you properly verify a user is three fold, and nobody will want to do it:

1: You enter your REAL address somewhere. They mail you a verification code. Or hell, a USB drive authenticator.

2: You enter that verification code on the site when you get it, or plug in the authenticator

3: The site signs your computer, physical location with your account.

 

Now any time you are at that computer, you punch in that verification code or USB authenticator and you are logged in. If you change locations, the code no longer works. The USB authenticator also won't work if your ISP changes.

 

See how annoying that is?

 

And how about burner mail boxes? Well so sorry, but if your mailbox is in WA and you are logging in from FL, it won't work either. That's the point of signing the computer, "you told us you were in WA, so this code will check that you are in WA"

 

Basically, "verification" has always been one of those things where you can never impose it without catastrophically destroying the service. Either have to deal with the bots and have no obstacles to signing up, or you need obstacles that ensure that there is a real person at the other end, like biometrics, GPS coordinates, or just something plugged into that home network that goes "Yep, they're home"

 

Like this is not a unique problem for social media, it's also a problem for MMO games. If there's anything I trust less than social media, it's dimwitted video game server operators.

 

So. What's the true way to ensure that bots are not able to impersonate people? Well, there's Yubikey. Like the solution I mention in the middle of this post, you require that there is a physical device plugged in, and you can only access accounts "authenticated" by that device. Move the computer, and you have to re-sign the computer at the new address.

 

Simply having the physical device is not enough to login. It has to be from a whitelisted ISP/Location. If you're travelling on a mobile device, then you need to specify what device is your mobile phone, and the session on THIS device will be allowed to move, but not be permitted to change passwords or account information. Only login and post/play.

 

What about a unique government ID? I know that many countries still are yet to implement robust National ID systems, but eventually we will get there. And there can be sort of clearance level for unique IDs and service like Twitter will fall in the lowest category, where they can just authenticate with a government portal whether you exist as a real person or not. Once verified - hash the ID and save it in your database. In case it gets leaked, it's useless, since its hashed anyway.

This itself I feel would stop 99% of the bots.

[leadeater]

46 minutes ago, RedRound2 said:

What about a unique government ID? I know that many countries still are yet to implement robust National ID systems, but eventually we will get there. And there can be sort of clearance level for unique IDs and service like Twitter will fall in the lowest category, where they can just authenticate with a government portal whether you exist as a real person or not. Once verified - hash the ID and save it in your database. In case it gets leaked, it's useless, since its hashed anyway.

This itself I feel would stop 99% of the bots.

We have that here, it's newish but works quite well for what uses it.

 

Quote

You can use your RealMe login for both work and personal services. Your personal details are never shared with the organisation or service you log into.

https://www.realme.govt.nz/

[Kisai]

1 hour ago, RedRound2 said:

What about a unique government ID? I know that many countries still are yet to implement robust National ID systems, but eventually we will get there. And there can be sort of clearance level for unique IDs and service like Twitter will fall in the lowest category, where they can just authenticate with a government portal whether you exist as a real person or not. Once verified - hash the ID and save it in your database. In case it gets leaked, it's useless, since its hashed anyway.

This itself I feel would stop 99% of the bots.

It will never work in the US. Americans are very against national ID systems, even though technically they have three of them. SSN, Passport, and state DL/ID.

 

But more to the point, it's not even necessary. Just go open a bank account somewhere that requires you to hold a $500 deposit, and require the bank facilitate the identity check. That's what we do in Canada when logging into the CRA website.

https://www.canada.ca/en/revenue-agency/services/e-services/e-services-individuals/account-individuals.html click "sign in partners"

 

That's much less of a pain than having "Yet another login" to something, and since it's something that is far less disposable than a credit card or a prepaid phone, it's more practical that everyone has an account somewhere. Most of the banks require somewhere between $5 and $5000 to be held to have an account.

 

[Mihle]

39 minutes ago, leadeater said:

We have that here, it's newish but works quite well for what uses it.

 

https://www.realme.govt.nz/

Personal details never shared? How do that work, doesn't at least the name have to be shared?

 

Norway has this, I do not know what info the service you log in to get or doesn't get.

https://www.bankid.no/en/private/

[Kaas0001]

14 hours ago, 05032-Mendicant-Bias said:

and Twitter is never going to make a billion in profit at all

Thats true, but if you can mitigate some costs by introducing a subscription, turn around more money so investors (if they go public again) can pump more money into it and highten the value, then I think its just all about money and (trying) to eventually turn a profit

 

But im not a financial wizard, nor do I know what is happening behind the scens, its just speculating

[RedRound2]

1 hour ago, Mihle said:

Personal details never shared? How do that work, doesn't at least the name have to be shared?

 

Norway has this, I do not know what info the service you log in to get or doesn't get.

https://www.bankid.no/en/private/

Technically a "Yes, this person is real" API response is enough. If you want more details - you have to justify to the government on why you need and get higher clearance (say you are a bank, or insurance, or airport, etc). Or you can ask the user on what details on how much details they want to share with the service. Not sure if this is how it works in NZ, but at least this is my idea of it.

[RedRound2]

1 hour ago, Kisai said:

It will never work in the US. Americans are very against national ID systems, even though technically they have three of them. SSN, Passport, and state DL/ID.

The americans

 

Just add more features to change SSN and/or passport into a National ID and no one will see it even happening.

But then again American government doesnt really have the cleanest track record of respecting user's privacy, so I don't really know. 

 

I know it sounds cliche, but an open source blockchain like tech can actually be helpful here. If implemented the right way, I think.

1 hour ago, Kisai said:

But more to the point, it's not even necessary. Just go open a bank account somewhere that requires you to hold a $500 deposit, and require the bank facilitate the identity check. That's what we do in Canada when logging into the CRA website.

https://www.canada.ca/en/revenue-agency/services/e-services/e-services-individuals/account-individuals.html click "sign in partners"

The issue with that is that it falls on the bank to set up the infrastructure. They won't do that unless there is profitability aspect. It might be in Canada, but I doubt everyone will jump on board. Also, would not work as well in developing countries where many people don't even have bank accounts, but would have at least a voter's ID.

[Sauron]

Incredible. It's only been a few months since they made "verified" a paid service with this exact same excuse and immediately had to roll back the change because it made the spam problem 100 times worse. Right now everyone can vote in polls and actual people likely outnumber active bots on any given large poll; what do you think will happen if you restrict the pool? Suddenly you'll only need a few dozen spam accounts rather than hundreds or thousands to overwhelm the poll. Further, who even cares? Only Musk is using twitter polls to decide the course of his life, which maybe should give him the hint to stop doing that.

[Kisai]

2 hours ago, RedRound2 said:

The americans

 

Just add more features to change SSN and/or passport into a National ID and no one will see it even happening.

But then again American government doesnt really have the cleanest track record of respecting user's privacy, so I don't really know. 

 

I know it sounds cliche, but an open source blockchain like tech can actually be helpful here. If implemented the right way, I think.

The issue with that is that it falls on the bank to set up the infrastructure. They won't do that unless there is profitability aspect. It might be in Canada, but I doubt everyone will jump on board. Also, would not work as well in developing countries where many people don't even have bank accounts, but would have at least a voter's ID.

Not every country is going to have the same solution, and the longer countries kick the can down the road on agreeing on some international pseudo-anonymous internet identity system, the faster the AI's will adapt.

 

Like I said there are multiple solutions that exist right now.

 

You have things like the Yubikey which can be used as a "yes there is a physical person with this key plugged into this device, right now" but nothing really stopping someone from ordering a million of them and just having them plugged into a million emulated virtual machines.  It makes it more expensive to create disposable accounts, but doesn't remove it.

 

You have the possibility of permitting banks to be that identity authenticator. Where you login to the bank with your bank card and password any time you try to change the identity information on the account, but otherwise login to it via a standard 2FA check. That solves both the account take-over(TKO) problem and the identity verification without having to hand over personal information yet again. However that does create a different problem where the bank decides to close an account or re-issue a card, or re-number their bank accounts (all of which I've experienced at some point), causing everything linked to it to just stop working.

 

Alternative options that have to be run by the government, involve handing over your identity information to the site operator to run against a government ID database, or a "Credit worthiness" check which is what is always done when you sign up for postpaid cell phones, electricity, landline phone, gas, or internet service.

 

But as I said before. You can't use a disposable thing as your "authenticator", phone numbers and credit card's are disposable. Burner phones are a thing. Replacing a sim card is often a $25 charge. It's not cheap, but it's not an obstacle for someone who wants to personally harass someone on twitter.

 

No, the real solution to "bot" problems has always been to use hardware token generators, and nobody wants to have a dozen of these things just to login to services. It's no better than losing your password at that point.

 

So it's a bold face lie that paying for blue will stop bots. It's a cash grab, and nobody is going to be stupid enough to pay for it. Either you matter, and everyone you engage with is already following you, thus you don't need it, or you're a nothing, and blue won't help you anyway.

[leadeater]

3 hours ago, RedRound2 said:

Technically a "Yes, this person is real" API response is enough. If you want more details - you have to justify to the government on why you need and get higher clearance (say you are a bank, or insurance, or airport, etc). Or you can ask the user on what details on how much details they want to share with the service. Not sure if this is how it works in NZ, but at least this is my idea of it.

Yep that's pretty much exactly how it works. One of the local crypto exchanges here supports RealMe login for it, part of our financial laws is proof of identification and since that industry isn't very well trusted they saw it as a way to get that trust since all that personal and important information is handled by the Gov. All they do is handle transactions and tie them to proven "identities".

[leadeater]

58 minutes ago, Kisai said:

You have things like the Yubikey which can be used as a "yes there is a physical person with this key plugged into this device, right now" but nothing really stopping someone from ordering a million of them and just having them plugged into a million emulated virtual machines.  It makes it more expensive to create disposable accounts, but doesn't remove it.

These can be virtualized, not going to help at all.

https://krypt.co/